Posted
by
kdawson
on Monday January 18, 2010 @09:53PM
from the in-the-front-door dept.

wiedzmin sends in news of a vulnerability in some D-Link home routers. The company has made new firmware available for download. "D-Link announced today that the problem, discovered by security researchers SourceSec, affects three of its wireless routers: DIR-855 (hardware version A2), DIR-655 (versions A1 to A4), and DIR-635 (version B). The problem lies in D-Link's implementation of Cisco's Home Network Administration Protocol, which allows remote router configuration. The scope of the vulnerability is greatly reduced by the fact that these router models were not shipped with the affected firmware by default, so only customers who updated their firmware are potentially affected. Or at least this was indicated in the company's response to the SourceSac claim that all D-Link routers sold since 2006 were affected." SourceSec apparently made their research available, including an exploitation tool, without ever contacting D-Link.

But what does SourceSac get out of the deal? Is the publicity for essentially releasing a 0-day really going to earn them that much money? Despite their brilliance in discovering such a flaw, I'm not sure anyone would want to associate themselves with this company for security. With friends like this....

It probably has more to do with the fact that SourceSec isn't a security firm. It's an exploit blog. The whole purpose is the launch everything as 0-Day so script kiddies can get out there and use it, making companies look like fools.

Make no mistake, these are the bad guys, they just dress up what they to do have an air of professionalism about it.

The only reasonable solution to reduce vulnerability in the wild is to publicly expose the issues to force vendor resolution more quickly. Seems counterintuitive, but it does work.

While that seems reasonable if the vendor either doesn't care or is dragging along on a fix, in this case they didn't even tell the vendor in the first place. Perhaps it's unlikely that DLINK would have responded to the security company but it seems they deserved a chance to do the right thing. It's not that disclosure is wrong, it's just that it's wrong at that stage of the game -- they would have lost nothing by trying to cooperate with D-Link and only disclosing if those lesser steps failed (or took too long). Plus, think about how much worse it sounds:

"Here's a huge vulnerability that we discovered but didn't tell anyone until now. Surprise!"

versus

"Here's a huge vulnerability that we discovered. We went to D-Link 3-4 weeks ago and they wouldn't give us the time of day. Finally, we go through to someone that assigned it a low-priority and has been promising a fix but not delivering. At this point, we are tired of hearing their excuses and we don't think they are interested in fixing it so we are disclosing it."

TL;DR version: Public disclosure is the last resort, not the first. Carrot first, stick second.

20 years ago, I would have agreed with you. But I survived the Morris Worm attack back then because I'm paranoid, and repeated attacks since then due to vulnerabilities that vendors refused to address. And the secrecy of such graceful submissions just leaves the knowledge in the hands of the crackers, who share it on their warez sites and IRC channels, and not in the hands of reasonable admins who need to assess the risks of patching and the risks of particular products. I've in fact seen this occurr with C

The kind of gracious pre-notification you are suggesting, in this day and age, needs to be earned. And D-Link hasn't earned it, with their history of GPL violations and delay on publication of security vulnerabilities.

And their customers, what have they done to earn the inevitable increase in attacks, other than to not know better than to buy D-Link products?

And their customers deserve to be vulnerable for weeks or months longer if D-Link lags in producing an update or patch? Or not to be notified that they can simply turn off remote administration in the short term? No, leaving them vulnerable this way is a frequent problem with many software packages, and we as customers don't deserve to not be notified of these issues.

This isn't about carrot and stick. The people that discovered this get nothing from it. They aren't the owners of the company, they don't work for the company, and they probably don't even use the products in question.

In fact, the only thing these people -do- get is recognition that they found some serious flaws in other peoples' stuff. And they get that whether they work with the companies or not. (Sadly, they get -far- more attention if they don't work with the companies, so that gives them a push tow

It's not that disclosure is wrong, it's just that it's wrong at that stage of the game -- they would have lost nothing by trying to cooperate with D-Link and only disclosing if those lesser steps failed (or took too long).

They would have lost time. Any time you wait for the vendor to address the issue (at their leisure) is time the black hats are exploiting the vulnerability freely. Announce the vulnerability immediately so those affected can take measures to limit their exposure. That is responsible dis

If by work you mean makes it easy for people to get exploited for no good reason other than 'to make a point (i.e. get some publicity)' then sure it works, as far as protecting people, no it doesn't.

Instead of the potential that a few people may have found the exploit and may be exploiting it, you instead have lots of people most certainly do know about it, including the ones who are most certainly going to take advantage of it. Whats better is that the likely hood of these devices EVER being updated by th

These are routers that would have had to have their firmware updated, as the update (from TFS) introduced the vulnerability. So yes, these are geeks that are in danger, ones who would be willing to update again.

Indeed, this is becoming the reality. Software and hardware vendors have become complacent with the fact that researchers will give them ample time to ignore a problem.

The only reasonable solution to reduce vulnerability in the wild is to publicly expose the issues to force vendor resolution more quickly. Seems counterintuitive, but it does work.

... and how do you explain the release of the handy-dandy exploit tool along with the "disclosure"?

I smell a rat here.

1. No notification at all, not even a couple days.2. They release not only the problem, but also a TOOL so it can be immediately exploited. (incite FUD)3. Report that ALL devices since 2006 have this issue. In reality, only a very small number have the issue (people who specifically updated on their own). (FUD ^2)4. Have a fixed firmware already setup to be installed, since D-Link won't be a

Agreed. Also some of the above posts are nothing but weak excuses for creating a problem. On top of it it's not the manufacturer who's at particular risk, it's all the users. One does the right thing regardless of the other party. Which should be a natural point of integrity for any person.

dlink wouldve done jack shit like every other company without being publicly humiliated.

Yes, but it would have been even more humiliating to say "We provided them with an exploit 4 weeks ago and they still haven't done shit, so now we are going public". That has the added advantage of giving them the chance to do the right thing, even if they don't take it and makes them look like douches instead of the security company.

It also gives them the "chance" to slap you with a court order to shut you up. Take a look at the history of the "8lgm", or "eight-legged groove machine". Their old site is at http://www.8lgm.org/ [8lgm.org]: it's a fascinating bit of security and legal history.

I remember once a guy found a vulnerability in some electro-mechanical door locks (can't remember exactly what it was but I remember it was super easy to pull off and could cause the locks to get stuck in an unlocked state without giving any warning). He said he would only release the info to the manufacturer if they promised to replace all the locks in question free of cost to the owners. They didn't, so he publicized the vulnerability and the company was rightly shamed.

If that is true, then just publishing it is the only way to go. And that would indeed show stupid arrogance on the side of D-Link (in this case), and will come back to haunt them.

However I still think it would be nicer to first notify D-Link, followed by full disclosure after a reasonable time (which I think is no more than 30 days). That should allow D-Link to come up with a fix in time. If D-Link doesn't then it's time to put them to shame.

Then start publishing the fact that you found a 0-day vulnerability, that supplier of said software/device is unwilling to fix it, and instead sued you and put you under a gag order that prevents full disclosure of the actual vulnerability - and suggest that it is just a matter of time before the black-hats find out as well, and that everyone is at risk. That's pretty much what I recall Google has done before ("we are forced to remove several links from your search results, click here to see which links tha

TFA mentions that DLink has published new firmware for the routers already. But I've got a DIR-655/A4, and their support site still only lists firmware from last September (v1.32NA) and the firmware check in the router says it's the latest. Where are these updated firmwares available?

The way I'm reading it, they mean the company that found the problem has published its own bootleg patch. I don't think D-Link has done anything. And if I were you, I wouldn't broadcast the fact I had that router.

And I know a stack of corporate and educational sites, and household setups, that allow this. Some consider their internal machines secure (which they are not), others consider the "open environment" more important, others consider the ease of remote access for their single admin or their often telecommuting key technical admin more important.

My concern with the DIR-655 is that I'm still at v1.21 [HW rev A3]. I've read nothing but nightmare stories of people with perfectly stable 1.2x routers who then upgraded to 1.3X firmwares and had tons of trouble and instability. At v1.21 my router is absolutely rock solid. This is the best, most stable wireless router I've ever had. If the 1.21 firmware is affected, and I'm forced to upgrade to 1.3X and it causes my router to become unstable, I'm going to be PISSED!

I upgraded my DIR655 to the latest and started having a lot of trouble. Then I turned off the internal DNS server and POOF, everything was great again. if you hvae trouble after the upgrade that is obviously coming, put that on your list of things to try when you have weird issues.

I know the bug you're talking about, that seems to be more common with firmware versions later than 1.21. Connection to the outside slows to a crawl, then stops altogether. You can still talk to other machines on the LAN, but you can't get to the router's management page, so the only thing you can do is reset the device.

I've had this problem even with version 1.21 of the firmware, but the frequency has gone down dramatically over the past few months. I've only had to reset it once since the new year, so I a

Have you ever tried to contact D-Link? Remember, they have DDOS'd NTP servers, and they continue to publish BUGGY dynamic DNS clients even when given bug reports.

D-Link outsources their routers to 3rd parties. The developers can not follow bug reports unless, sadly, they are written in Mandarin or Simple Chinese. And unless the bug report is blindingly and stupidly obvious (or on Slashdot), there's no one at D-Link US headquarters who cares enough to start a billable conversation with the contract develope

Years of experience with trying to get them to actually SUPPORT the crap they ship has taught me this.

Their "pro grade" support is SLIGHTLY better. But it's the difference between getting a root canal with no pain killers and getting a root canal with no pain killers while being repeatedly kneed in the nuts (which is ESPECIA

For companies like these, all of the software and hardware is outsourced, right down to the board layouts and case design. I worked with Netgear a while back, and no one who spoke English as a native language had the foggiest clue of what the software did, or even where the source was.

The same was true of Linksys before the Cisco acquisition, though now all of the development is being dragged back in-house, as is Cisco's preference.

These sorts of companies exist purely as marketing and sales, and don't know

Who could possibly have suspected that silently enabling a "remote management" interface with weak authentication could possibly make a device less secure?

To whose benefit is this HNAC stuff, anyway? It seems to be largely invisible to the user and not aimed at them. Are ISPs supposed to be "managing" our routers now?

a) No, ISPs aren't supposed to manage our routers, which is why HNAP is not supposed to be enabled on the outside facing interface. It isn't enabled on the outside facing interface on D-Link routers either, which is why the vulnerability write up mentions that this is an attack either from the LAN or via cross scripting to be executed via the home user's browser.

b) The benefits of HNAP are very simple: management applications can correctly discover network devices on a home network if they implement HNAP, and can manage the devices via a common protocol. You can install an app on your machine that manages your NAS, your router, your streaming media player and whatever else you have on the network - and you don't have to learn their interfaces but can use one common app to do it all in case you're not too technically inclined.

The protocol itself isn't really that bad of an idea - of course it should be implemented securely and ideally should also offer being disabled on a per device basis.

Who the fuck thought it would be a good idea to allow other apps to open the firewall?

UPnP allows something similar. Disabling such features wouldn't necessarily gain much because if malware does get in, it's just as easy to initiate the connection from inside the home firewall and keep it open - with the added benefit that the control server knows which nodes are online because there are connections open to them. Otherwise it'd have to keep a list of which IP addresses are compromised and contact each one whenever it wants to do something - which would be slow, and wouldn't deal very well

What exactly is the problem with management apps reading from and writing to network device configuration as long as it's implemented securely?

That it won't be implemented securely in many cases.

Effectively you have an RPC interface which can be called by a web browser; that is an insanely bad idea, because any security flaw which exists can be remotely exploited by telling the web browser to access the relevant URL. I don't believe there's any similar way to remotely exploit flaws in an SNMP interface.

>"The scope of the vulnerability is greatly reduced by the fact that these router models were not shipped with the affected firmware by default, so only customers who updated their firmware are potentially affected. Or at least this was indicated in the company's response to the SourceSac claim that all D-Link routers sold since 2006 were affected."

It's one thing to be a commenter/whistle-blower - it is entirely another to be an apologist in the same breath.

It looks like this might be a broader issue than just DLink routers. Several comments on TFA seem to suggest that the HNAP remote management interface is a part of the SDK for the board used in these routers. This implies that any router based on this board might have this vulnerability. The DD-WRT hardware incompatibility list [dd-wrt.com] happens to have a list of routers that use UBICOM boards.

It looks like this might be a broader issue than just DLink routers. Several comments on TFA seem to suggest that the HNAP remote management interface is a part of the SDK for the board used in these routers. This implies that any router based on this board might have this vulnerability. The DD-WRT hardware incompatibility list happens to have a list of routers that use UBICOM boards.

Given Ubicom makes their own CPU, I would be surprised if it isn't in all Ubicom boards past a certain software revision. Ubi

If anyone has a DGL-4500 router, and experiences constant lockups with it (forced to power cycle the unit); your not alone. Apparently, there is a bug with DNS forwarding that started with firmware rev 1.21. It's been since July 2009, and the best you can hope for is an update still in beta. We are talking about their newest high-end gaming router here with extra features that make a nice small office router too.

As it stands, users of this model are furious. Some are threatening a class-action lawsuit against them. By all means, please read through the D-Link forum before you think about buying one of their products.http://forums.dlink.com/index.php?board=144.0 [dlink.com]

If anyone has a DGL-4500 router, and experiences constant lockups with it (forced to power cycle the unit); your not alone. Apparently, there is a bug with DNS forwarding that started with firmware rev 1.21. It's been since July 2009, and the best you can hope for is an update still in beta. We are talking about their newest high-end gaming router here with extra features that make a nice small office router too.

As it stands, users of this model are furious. Some are threatening a class-action lawsuit against them. By all means, please read through the D-Link forum before you think about buying one of their products.
http://forums.dlink.com/index.php?board=144.0 [dlink.com]

Odd, I have this model... and with v1.15 (2008/10/29) the admin page says I have the latest version of the firmware. I wonder if they stopped pushing anything that came later.

Yeah, I've found Airlink products to be pretty good too, for low-cost hardware. Though leaving a passwordless telnet root login open by default on their IP webcam wasn't the most secure configuration ever:).

As much as I do love m0n0 and PFS, it's not really the same market. These require x86 hardware, while DLink caters to the low-cost OTC MIPS-type stuff, much more appealing to the non-techie home and SOHO user, to whom I enthusiastically recommend Tomato-compatible hardware, such as the always-on-sale ASUS WL520-gu.

But yeah, I've never understood why DLink is as popular as it is. I've seen countless numbers of those things either fail right out of the box, or begin to fail, either outright or in subtle ways,

For an office of say 10 employees, a SOHO router is just fine. It's cheap, easy to configure, and solid state. They can also be mounted on a telco baseboard along with the rest of the equipment too. Why cobble together a used PC (or new) to run M0n0wall for just 10 users? Not worth the time IMHO. Just plug in a WiFi Linksys box and be done with it!

How about just busting into their wifi? There is an AP near the tram stop I use called "DLINK". I use it some times to check stuff while waiting for the tram to go. Now every time I go past an AP called DLINK (and there are a lot of them) ubuntu tries to connect. A lot of the time it gets on too.

Now every time I go past an AP called DLINK (and there are a lot of them) ubuntu tries to connect.

This is the big problem with unsecured access points. Linux is probably pretty safe but if you have an unsecured access point called 'DLINK' at home and you run Windows with the network set to 'home' or 'work' then it is going to connect to any unsecured access point called 'DLINK' (how would it tell the difference?) and you could be pwned pretty readily either by the owner of the access point or by someone else who just happens to be connected too.

if you have an unsecured access point called 'DLINK' at home and you run Windows with the network set to 'home' or 'work' then it is going to connect to any unsecured access point called 'DLINK' (how would it tell the difference?)

I can't say for all the affected routers but the D-Link 655 has a guest mode for unsecured wireless networks. This means this essid only provides internet and not access to the LAN. To get to the LAN you need to use the other secure essid (the router can handle multiple wireless networks with varying security).

Don't feel bad. All I have to contribute is "A stable rev of dd-wrt for the DIR-655 that addresses speed issues with the existing version, and I won't care." (Besides, my wireless routers are behind another unaffected router.)

This is nothing new. In fact, review the many easy hacks against several router manufacturers and you'll discover a lot of them (many exploiting uPnP) have FAILED to patch these issues for many YEARS. A good many of these routers are wired routers with the public being told to buy a wireless router instead (many of which remain unpatched to several malicious exploits!) when all they really want is wired. Many wise individuals do not want to go wi-fi nor should they be forced to do so.

Router companies would then have to charge $400 for a consumer grade router.

Producing a router that doesn't have a fancy web interface that allows any web site to reconfigure it with an embedded image URL is likely to be cheaper than producing one which does have a fancy web interface with vast security holes.

The problem is that the companies go out of their way to make routers 'user-friendly', and in the process make them cracker-friendly too.

Older models, such as the DI-524, require authentication for all of the supported SOAP actions, but
allow both the administrator and user accounts to execute any of these actions. This allows a malicious
individual to use the often-ignored user account (default login of 'user' with a blank password) to
perform administrative actions

If I read that right I should be fine as long as I secure the user account as well as the admin

I have a DIR-615 (got it for free) running the latest firmware. It's mostly reliable but sometimes it kicks off all the computers on the wireless. Used to happen once every two days or so. It happens less frequently since I disabled "Short GI."

I wouldn't buy a BRICK from DLink anymore. I have yet to see anything made by them that wasn't the worst I'd ever seen of whatever it was. NICs, routers, switches, whatever, they were all crap, with crap drivers, crap firmware, crap everything. They must have the schmoozingest marketing department ever to still be in business.

Yeah, why do we always get the lame spam? To me this is just a sign of a lazy spammer. Target your audience spammers! At least offer us dodgy RAM or fake CPUs or something we might actually care about!

I don't know how far this attack goes, but there was an attack on some models of home routers in Mexico a while back which used an embedded image URL to reprogram their DNS to forward connections to a bank site to a phishing site so that they could steal passwords. If you can reconfigure the router in arbitrary ways then you can pretty much take control of the Internet as far as the computers on the LAN side are concerned, at least if they use DHCP to get their network information.